Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-8320

Опубликовано: 05 мар. 2019
Источник: redhat
CVSS3: 7.4

Описание

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6rubygemsNot affected
Red Hat Enterprise Linux 7rubyNot affected
Red Hat Software Collectionsrh-ruby23-rubyWill not fix
Red Hat Software Collectionsrh-ruby26-rubyNot affected
CloudForms Management Engine 5.10cfmeFixedRHSA-2019:142911.06.2019
CloudForms Management Engine 5.10cfme-amazon-smartstateFixedRHSA-2019:142911.06.2019
CloudForms Management Engine 5.10cfme-applianceFixedRHSA-2019:142911.06.2019
CloudForms Management Engine 5.10cfme-gemsetFixedRHSA-2019:142911.06.2019
CloudForms Management Engine 5.10rubyFixedRHSA-2019:142911.06.2019
Red Hat Enterprise Linux 8rubyFixedRHBA-2019:338405.11.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1692512rubygems: Delete directory using symlink when decompressing tar

7.4 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-8320

CVSS3: 7.4
ubuntu
больше 6 лет назад

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

nvd логотип

CVE-2019-8320

CVSS3: 7.4
nvd
больше 6 лет назад

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.

debian логотип

CVE-2019-8320

CVSS3: 7.4
debian
больше 6 лет назад

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later ...

github логотип

GHSA-5x32-c9mf-49cc

CVSS3: 7.4
github
больше 6 лет назад

RubyGems Delete directory using symlink when decompressing tar

fstec логотип

BDU:2019-03332

CVSS3: 7.4
fstec
больше 6 лет назад

Уязвимость системы управления пакетами RubyGems, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю оказать воздействие целостность данных

7.4 High

CVSS3